In the UK, the 2017 Regulations provide that a regulated firm must carry out the following due diligence before establishing a business relationship with a customer:1
- identify the customer;
- verify the customer’s identity;
- assess, and where appropriate, obtain information on, the purpose and intended nature of the business relationship or occasional transaction; and
- where the customer is beneficially owned by another person, identify the beneficial owner and take reasonable measures to verify the identity of the beneficial owner so that the firm is satisfied that it knows who the beneficial owner is.2 For more details on the requirements in relation to beneficial ownership, see here.
In addition, for customers that are companies, the Regulations provide specific additional details which must be obtained, such as company number, address of registered office, law to which the company is subject, and full names of the members of the boards of directors.
The Regulations also provide that where the customer is a legal person, trust, company, foundation or similar legal arrangement the relevant person must take reasonable measures to understand the ownership and control structure of that legal person, trust, company, foundation or similar legal arrangement.3
Financial institutions (in the US) (and also regulated firms in the UK) must conduct customer due diligence (CDD) to assess the risks associated with a customer. A firm’s CDD policies, procedures, and processes should be commensurate with its AML risk profile as reflected in the risk assessment carried out by the firm and the firm’s assessment of the level of risk arising in any particular case. For more on risk assessments, see here.
Generally speaking, standard due diligence procedures may also include, but are not limited to:
- understanding the normal and expected activity for the customer’s occupation or business operations;
- conducting ongoing monitoring to identify and report suspicious transactions, and;
- maintaining and updating customer information, including information regarding the beneficial owner(s) of legal entity customers.
Customers that present a higher risk of money laundering or terrorist financing should be subject to enhanced due diligence (EDD). The AML program should define when EDD should occur as well as what additional customer information should be collected. In the US, FinCEN recommends a holistic approach in determining whether a customer is high-risk based on a wide range of factors. In the UK, the 2017 Regulations specify when a customer should be subject to EDD and also specify particular steps that must or may be taken at each stage. For more on the requirements in the UK, see here.
EDD may include:
- for individuals, understanding the customer’s occupation and source of wealth, and learning the proximity to the bank of a customer’s residence and place of employment; and
- for businesses, understanding the customer’s type of business, primary trade area, whether transactions are expected to be domestic or international, the anticipated volume of transactions, total sales, information about major customers or supplies, the occupation of individuals with ownership or control of the business accounts, the place of incorporation, the principal place of business, and financial statements.
2 Unless the customer is a company which is listed on a regulated market. For the definition of a regulated market, see the 2017 Regulations, art. 37, art 3.
3 Unless the customer is company which is listed on a regulated market. For the definition of a regulated market, see the 2017 Regulations, art. 37, art 3.